Hi list,
After reading a lot in the mailing list and the official Samba 3 howto,
i am still unable to give domain admin rights to a user, so that he gets
admin rights on all workstations in the domain.
Here is what i have:
- Samba 3.08 PDC, config:
[global]
workgroup = ANT
netbios name = ANTSRV
netbios aliases = RUN KITS HOMES LIB PRINTERS
server string = ANT Samba Server %v
printcap name = /etc/samba/smbprintcap
load printers = yes
printing = lprng
printer admin = @adm
log file = /var/log/samba/log.%m
max log size = 50
map to guest = bad user
security = user
encrypt passwords = yes
smb passwd file = /etc/samba/private/smbpasswd
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = yes
os level = 33
domain master = yes
preferred master = yes
domain logons = yes
logon path = \\%L\Profiles\%U
<shares removed>
- Client: Vanilla Windows XP professional, SP2, domain member, no
special registry settings
- Groups:
root@antsrv2 [~] # net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> ntadmin
Account Operators (S-1-5-32-548) -> -1
Domain Users (S-1-5-21-4008939791-1949703945-886196202-513) -> wiss
Domain Admins (S-1-5-21-4008939791-1949703945-886196202-512) -> ntadmin
Backup Operators (S-1-5-32-551) -> -1
Domain Guests (S-1-5-21-4008939791-1949703945-886196202-514) -> nogroup
Users (S-1-5-32-545) -> wiss
root@antsrv2 [~] # getent group ntadmin
ntadmin:x:1060:rebehn
This should be enough to give user rebehn admin rights on all
workstaions in the domain, right?
But it does not work. When i try to partition disks on a workstation, i
get a message saying that i do not have the nessecary rights.
Questions:
- Did i miss something obvious?
- How can i debug on server/client side ?
Thanks for any help.
PS: winbindd is not running. Do i need it?
--
Heinrich Rebehn
University of Bremen
Physics / Electrical and Electronics Engineering
- Department of Telecommunications -
Phone : +49/421/218-4664
Fax : -3341
Heinrich Rebehn wrote: The last handled first...> PS: winbindd is not running. Do i need it?As far as I can tell, this is to have Linux logins utilize the Samba security back end vs the Linux security. Some shops are forced to have AD as their master master master security... thus Unix/Linux boxes must look to that for authentication... thus winbindd. Security... I'd suggest reviewing my KLUG presentation on Samba 3 PDC setup. It was developed for Win2K but WinXP is not that far off. I'd also suggest getting the M$ ifmember.exe tool and issue it with the /list option to better understand what is going on at the workstation side. It helped me debug security oddities. ftp://ftp.lueckdatasystems.com/pub/presentations/klugsamba3pdc-bookreview.pdf I specifically did NOT want domain admins to always be workstations admins, thus I break those ties. Your choice on how to handle that point. -- Michael Lueck Lueck Data Systems Remove the upper case letters NOSPAM to contact me directly.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 | After reading a lot in the mailing list and the official Samba 3 howto, | i am still unable to give domain admin rights to a user, so that he gets | admin rights on all workstations in the domain. | | Here is what i have: 1. If you are using ldap, you should know that the posixgroup objectClass is out of date and that you will need a different objectClass to provide Administrative access to the LDAP database itself. Specifically, groupOfNames. 2. I think you may be approaching this wrong. I have to assume that you are using something that actually has such a group so perhaps that means XP. On XP Pro: Right click on the Start button and select "Properties". Select the Customize button. Select the Advanced tab. Navigate to the Control Panel item. Select the "Display as menu" radio button. After having made these changes, you will then find that you can Navigate to the Control panel using the start menu and right-click on the Control Panel menu items. This also means that you can use the "runas" context menu item to run them as an Administrator. I don't know if this works on NT/2K but you might consider looking for something similar. The advantage of this technique is that your user remains just a user. You get what you need when you need it but not what you don't making your system much more secure. The function of runas is similar in nature to something like kdesu. It is very handy indeed once you get used to it. 3. I remember researching ways to upgrade my user to Administrative group membership using a command line technique. Since I know this can be done, I also know that it can be incorporated into a simple command line login script. What such a script should do is: A. Check to see if the current user is a member of the local "Administrators" group. B. If no, use the runas facility and add them otherwise exit. For efficiency, you might consider using groups instead. Samba does not support groups as members of groups but your local machine probably will. Thus you could write you script so that it adds the remote group "Domain Users" to the local group "Administrators". It is just my opinion but I would use the techniques mentioned in #2 coupled with #3 but only in regards to the Power Users group, just to make life easier. Jim C. - -- - ----------------------------------------------------------------- | I can be reached on the following Instant Messenger services: | |---------------------------------------------------------------| | MSN: j_c_llings @ hotmail.com AIM: WyteLi0n ICQ: 123291844 | |---------------------------------------------------------------| | Y!: j_c_llings Jabber: jcllings @ njs.netlab.cz | - ----------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBujJi57L0B7uXm9oRAiq/AJ91SjG1FFK2TeJWV+mrDDwdCDGwoACeOqze yf6oCz/5EygbOxjw2+kQLPU=t0Gn -----END PGP SIGNATURE-----
Jim C. wrote:> | After reading a lot in the mailing list and the official Samba 3 howto, > | i am still unable to give domain admin rights to a user, so that he gets > | admin rights on all workstations in the domain. > | > | Here is what i have: > > 1. If you are using ldap, you should know that the posixgroup > objectClass is out of date and that you will need a different > objectClass to provide Administrative access to the LDAP database > itself. Specifically, groupOfNames. >LDAP is only used by the Unix system. Samba does not use LDAP, it is even compiled w/o LDAP support. So, as long as getgrent(3) shows that a user is in the ntadmin group, the user should get admin rights. --Heinrich
FWIW, I believe you'll be experiencing problems with this part of your setup:> Administrators (S-1-5-32-544) -> ntadmin > Domain Admins (S-1-5-21-4008939791-1949703945-886196202-512) -> ntadminI don't believe that is legal. Or perhaps it is only illegal if ntadmin is someone's primary group, not secondary. I just fought with this one myself. Does anyone have a good resource on this? ---- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | | Ryan Novosielski - User Support Spec. III |$&| |__| | | |__/ | \| _| | novosirj@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science Bldg - C630 On Fri, 10 Dec 2004, Heinrich Rebehn wrote:> Hi list, > > After reading a lot in the mailing list and the official Samba 3 howto, i am > still unable to give domain admin rights to a user, so that he gets admin > rights on all workstations in the domain. > > Here is what i have: > > - Samba 3.08 PDC, config: > > [global] > workgroup = ANT > netbios name = ANTSRV > netbios aliases = RUN KITS HOMES LIB PRINTERS > server string = ANT Samba Server %v > > printcap name = /etc/samba/smbprintcap > load printers = yes > printing = lprng > printer admin = @adm > > log file = /var/log/samba/log.%m > max log size = 50 > > map to guest = bad user > security = user > encrypt passwords = yes > smb passwd file = /etc/samba/private/smbpasswd > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > local master = yes > os level = 33 > domain master = yes > preferred master = yes > domain logons = yes > logon path = \\%L\Profiles\%U > > <shares removed> > > - Client: Vanilla Windows XP professional, SP2, domain member, no special > registry settings > > - Groups: > > root@antsrv2 [~] # net groupmap list > System Operators (S-1-5-32-549) -> -1 > Replicators (S-1-5-32-552) -> -1 > Guests (S-1-5-32-546) -> -1 > Power Users (S-1-5-32-547) -> -1 > Print Operators (S-1-5-32-550) -> -1 > Administrators (S-1-5-32-544) -> ntadmin > Account Operators (S-1-5-32-548) -> -1 > Domain Users (S-1-5-21-4008939791-1949703945-886196202-513) -> wiss > Domain Admins (S-1-5-21-4008939791-1949703945-886196202-512) -> ntadmin > Backup Operators (S-1-5-32-551) -> -1 > Domain Guests (S-1-5-21-4008939791-1949703945-886196202-514) -> nogroup > Users (S-1-5-32-545) -> wiss > > root@antsrv2 [~] # getent group ntadmin > ntadmin:x:1060:rebehn > > This should be enough to give user rebehn admin rights on all workstaions in > the domain, right? > > But it does not work. When i try to partition disks on a workstation, i get a > message saying that i do not have the nessecary rights. > > Questions: > - Did i miss something obvious? > - How can i debug on server/client side ? > > Thanks for any help. > > PS: winbindd is not running. Do i need it? > -- > > Heinrich Rebehn > > University of Bremen > Physics / Electrical and Electronics Engineering > - Department of Telecommunications - > > Phone : +49/421/218-4664 > Fax : -3341 > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >